From 4450d34fee38c7c9a8a6efa7105b098f5588ab52 Mon Sep 17 00:00:00 2001
From: Kevin Kirsche <Kev.Kirsche+GitHub@gmail.com>
Date: Mon, 13 Aug 2018 21:27:51 -0400
Subject: [PATCH 1/7] Remove SSH scanner using known_hosts

Fix #10266

This disables writing to the `known_hosts` file when performing auxiliary ssh scans.
---
 lib/metasploit/framework/login_scanner/ssh.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/metasploit/framework/login_scanner/ssh.rb b/lib/metasploit/framework/login_scanner/ssh.rb
index 2ff78df405d1..a98d0ae47be3 100644
--- a/lib/metasploit/framework/login_scanner/ssh.rb
+++ b/lib/metasploit/framework/login_scanner/ssh.rb
@@ -55,7 +55,8 @@ def attempt_login(credential)
             :config          => false,
             :verbose         => verbosity,
             :proxy           => factory,
-            :non_interactive => true
+            :non_interactive => true,
+            :verify_host_key => :never
           }
           case credential.private_type
           when :password, nil

From 3783347d73678fbbe1c10e4e053a9a0e1799761c Mon Sep 17 00:00:00 2001
From: Kevin Kirsche <Kev.Kirsche@gmail.com>
Date: Mon, 13 Aug 2018 22:20:23 -0400
Subject: [PATCH 2/7] Fix failing argument spec test

---
 .../framework/login_scanner/ssh_spec.rb           | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb b/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb
index 9110dc0c9787..5b7d54505c6f 100644
--- a/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb
+++ b/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb
@@ -161,13 +161,14 @@
       it 'calls Net::SSH with the correct arguments' do
         factory = Rex::Socket::SSHFactory.new(nil,nil,nil)
         opt_hash = {
-            :auth_methods  => ['publickey'],
-            :port          => ssh_scanner.port,
-            :use_agent     => false,
-            :key_data      => key,
-            :config        => false,
-            :verbose       => ssh_scanner.verbosity,
-            :proxy         => factory
+            :auth_methods    => ['publickey'],
+            :port            => ssh_scanner.port,
+            :use_agent       => false,
+            :key_data        => key,
+            :config          => false,
+            :verbose         => ssh_scanner.verbosity,
+            :proxy           => factory,
+            :verify_host_key => :never
         }
         allow(Rex::Socket::SSHFactory).to receive(:new).and_return factory
         expect(Net::SSH).to receive(:start).with(

From 2e75f46d34bdcdde2f3c2ce5a25e59cd82253dd8 Mon Sep 17 00:00:00 2001
From: Kevin Kirsche <Kev.Kirsche@gmail.com>
Date: Mon, 13 Aug 2018 22:30:01 -0400
Subject: [PATCH 3/7] Fix failing argument for password based spec test

---
 spec/lib/metasploit/framework/login_scanner/ssh_spec.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb b/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb
index 5b7d54505c6f..39bb685fafc9 100644
--- a/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb
+++ b/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb
@@ -145,7 +145,8 @@
             :proxy         => factory,
             :auth_methods  => ['password','keyboard-interactive'],
             :password      => private,
-            :non_interactive => true
+            :non_interactive => true,
+            :verify_host_key => :never
         }
         allow(Rex::Socket::SSHFactory).to receive(:new).and_return factory
         expect(Net::SSH).to receive(:start).with(

From 905f26372d07a3555c7c7872b5ab9ac2153f082c Mon Sep 17 00:00:00 2001
From: Kevin Kirsche <kevin.kirsche@one.verizon.com>
Date: Wed, 15 Aug 2018 06:48:35 -0700
Subject: [PATCH 4/7] Remove host key checks on ssh scanner modules

---
 .../ssh/apache_karaf_command_execution.rb     | 15 ++++++-----
 .../scanner/ssh/cerberus_sftp_enumusers.rb    | 26 ++++++++++---------
 .../scanner/ssh/fortinet_backdoor.rb          | 13 +++++-----
 .../auxiliary/scanner/ssh/juniper_backdoor.rb | 11 ++++----
 .../auxiliary/scanner/ssh/ssh_enumusers.rb    |  3 ++-
 .../scanner/ssh/ssh_identify_pubkeys.rb       |  3 ++-
 6 files changed, 39 insertions(+), 32 deletions(-)

diff --git a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb
index 82ca5afee185..ccf2c21373b4 100644
--- a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb
+++ b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb
@@ -70,13 +70,14 @@ def cmd
   def do_login(user, pass, ip)
     factory = ssh_socket_factory
     opts = {
-      auth_methods:    ['password'],
-      port:            rport,
-      config:          false,
-      use_agent:       false,
-      password:        pass,
-      proxy:           factory,
-      non_interactive: true
+      :auth_methods    => ['password'],
+      :port            => rport,
+      :config          => false,
+      :use_agent       => false,
+      :password        => pass,
+      :proxy           => factory,
+      :non_interactive => true,
+      :verify_host_key => :never
     }
 
     opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
diff --git a/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb b/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb
index 47b5a792ee10..6e9110bb003d 100644
--- a/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb
+++ b/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb
@@ -67,13 +67,14 @@ def retry_num
 
   def check_vulnerable(ip)
     opt_hash = {
-      port:          rport,
-      auth_methods:  ['password', 'keyboard-interactive'],
-      use_agent:     false,
-      config:        false,
-      password_prompt: Net::SSH::Prompt.new,
-      non_interactive: true,
-      proxies:       datastore['Proxies']
+      :port            => rport,
+      :auth_methods    => ['password', 'keyboard-interactive'],
+      :use_agent       => false,
+      :config          => false,
+      :password_prompt => Net::SSH::Prompt.new,
+      :non_interactive => true,
+      :proxies         => datastore['Proxies'],
+      :verify_host_key => :never
     }
 
     begin
@@ -105,11 +106,12 @@ def check_user(ip, user, port)
     pass = Rex::Text.rand_text_alphanumeric(8)
 
     opt_hash = {
-      auth_methods: ['password', 'keyboard-interactive'],
-      port:         port,
-      use_agent:    false,
-      config:       false,
-      proxies:      datastore['Proxies']
+      :auth_methods    => ['password', 'keyboard-interactive'],
+      :port            => port,
+      :use_agent       => false,
+      :config          => false,
+      :proxies         => datastore['Proxies'],
+      :verify_host_key => :never
     }
 
     opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']
diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
index 70e83503f2c3..797f299efc66 100644
--- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
+++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
@@ -48,14 +48,15 @@ def run_host(ip)
     factory = ssh_socket_factory
 
     ssh_opts = {
-      port:            rport,
+      :port            => rport,
       # The auth method is converted into a class name for instantiation,
       # so fortinet-backdoor here becomes FortinetBackdoor from the mixin
-      auth_methods:    ['fortinet-backdoor'],
-      non_interactive: true,
-      config:          false,
-      use_agent:       false,
-      proxy:           factory
+      :auth_methods    => ['fortinet-backdoor'],
+      :non_interactive => true,
+      :config          => false,
+      :use_agent       => false,
+      :proxy           => factory,
+      :verify_host_key => :never
     }
 
     ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
diff --git a/modules/auxiliary/scanner/ssh/juniper_backdoor.rb b/modules/auxiliary/scanner/ssh/juniper_backdoor.rb
index 79e151e3c27f..48518110ddaf 100644
--- a/modules/auxiliary/scanner/ssh/juniper_backdoor.rb
+++ b/modules/auxiliary/scanner/ssh/juniper_backdoor.rb
@@ -43,11 +43,12 @@ def initialize(info = {})
   def run_host(ip)
     factory = ssh_socket_factory
     ssh_opts = {
-      port:         rport,
-      auth_methods: ['password', 'keyboard-interactive'],
-      password:     %q{<<< %s(un='%s') = %u},
-      proxy: factory,
-      :non_interactive => true
+      :port            => rport,
+      :auth_methods    => ['password', 'keyboard-interactive'],
+      :password        => %q{<<< %s(un='%s') = %u},
+      :proxy           => factory,
+      :non_interactive => true,
+      :verify_host_key => :never
     }
 
     ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb
index 265cf9071eb1..b7cd1a95dae5 100644
--- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb
@@ -86,7 +86,8 @@ def check_user(ip, user, port)
       :password      => pass,
       :config        => false,
       :proxy         => factory,
-      :non_interactive => true
+      :non_interactive => true,
+      :verify_host_key => :never
     }
 
     opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
diff --git a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
index cfce1a497da8..5ff1c4ab2079 100644
--- a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
@@ -210,7 +210,8 @@ def do_login(ip, port, user)
         :use_agent     => false,
         :config =>false,
         :proxy	  => factory,
-        :non_interactive => true
+        :non_interactive => true,
+	:verify_host_key => :never
       }
 
       opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

From 09434bd57c9e68503dc432111abe657712f0eee2 Mon Sep 17 00:00:00 2001
From: Kevin Kirsche <kevin.kirsche@one.verizon.com>
Date: Wed, 15 Aug 2018 07:00:45 -0700
Subject: [PATCH 5/7] Fix tabbing caused by incorrect VM nvim configuration

---
 .../auxiliary/scanner/ssh/ssh_identify_pubkeys.rb  | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
index 5ff1c4ab2079..3f5dd7462177 100644
--- a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
@@ -204,14 +204,14 @@ def do_login(ip, port, user)
 
       factory = ssh_socket_factory
       opt_hash = {
-        :auth_methods => ['publickey'],
-        :port         => port,
-        :key_data     => key_data[:public],
-        :use_agent     => false,
-        :config =>false,
-        :proxy	  => factory,
+        :auth_methods    => ['publickey'],
+        :port            => port,
+        :key_data        => key_data[:public],
+        :use_agent       => false,
+        :config          =>false,
+        :proxy           => factory,
         :non_interactive => true,
-	:verify_host_key => :never
+        :verify_host_key => :never
       }
 
       opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

From cd01f11fd2d5b323e93c73f35755e8c3f15c79ed Mon Sep 17 00:00:00 2001
From: Kevin Kirsche <kevin.kirsche@one.verizon.com>
Date: Wed, 15 Aug 2018 14:54:41 -0700
Subject: [PATCH 6/7] Remove verifying host keys for all exploits

---
 .../apple_ios/ssh/cydia_default_ssh.rb        | 15 +++++-----
 .../ssh/ceragon_fibeair_known_privkey.rb      | 15 +++++-----
 .../linux/ssh/exagrid_known_privkey.rb        | 15 +++++-----
 .../linux/ssh/f5_bigip_known_privkey.rb       | 15 +++++-----
 ...oadbalancerorg_enterprise_known_privkey.rb | 15 +++++-----
 .../exploits/linux/ssh/mercurial_ssh_exec.rb  | 15 +++++-----
 .../linux/ssh/quantum_dxi_known_privkey.rb    | 15 +++++-----
 .../linux/ssh/quantum_vmpro_backdoor.rb       | 15 +++++-----
 .../exploits/linux/ssh/solarwinds_lem_exec.rb | 15 +++++-----
 .../exploits/linux/ssh/symantec_smg_ssh.rb    | 15 +++++-----
 .../linux/ssh/ubiquiti_airos_file_upload.rb   | 15 +++++-----
 .../linux/ssh/vmware_vdp_known_privkey.rb     | 15 +++++-----
 modules/exploits/multi/ssh/sshexec.rb         | 15 +++++-----
 .../ssh/array_vxag_vapv_privkey_privesc.rb    | 30 ++++++++++---------
 .../unix/ssh/tectia_passwd_changereq.rb       |  6 +++-
 .../windows/ssh/freesshd_authbypass.rb        | 13 ++++----
 .../windows/ssh/sysax_ssh_username.rb         |  3 +-
 17 files changed, 134 insertions(+), 113 deletions(-)

diff --git a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb
index 8587909e9cc3..257297af1249 100644
--- a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb
+++ b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb
@@ -79,13 +79,14 @@ def rport
   def do_login(user, pass)
     factory = ssh_socket_factory
     opts = {
-      auth_methods:    ['password', 'keyboard-interactive'],
-      port:            rport,
-      use_agent:       false,
-      config:          false,
-      password:        pass,
-      proxy:           factory,
-      non_interactive: true
+      :auth_methods    => ['password', 'keyboard-interactive'],
+      :port            => rport,
+      :use_agent       => false,
+      :config          => false,
+      :password        => pass,
+      :proxy           => factory,
+      :non_interactive => true,
+      :verify_host_key => :never
     }
 
     opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb
index 367f9fb1ca22..aef937ea99c1 100644
--- a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb
+++ b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb
@@ -74,13 +74,14 @@ def rport
   def do_login(user)
     factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
     opt_hash = {
-      auth_methods:       ['publickey'],
-      port:               rport,
-      key_data:           [ key_data ],
-      use_agent:          false,
-      config:             false,
-      proxy:              factory,
-      non_interactive:    true
+      :auth_methods       => ['publickey'],
+      :port               => rport,
+      :key_data           => [ key_data ],
+      :use_agent          => false,
+      :config             => false,
+      :proxy              => factory,
+      :non_interactive    => true,
+      :verify_host_key    => :never
     }
     opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
     begin
diff --git a/modules/exploits/linux/ssh/exagrid_known_privkey.rb b/modules/exploits/linux/ssh/exagrid_known_privkey.rb
index de488709546c..c48f9c5a3c64 100644
--- a/modules/exploits/linux/ssh/exagrid_known_privkey.rb
+++ b/modules/exploits/linux/ssh/exagrid_known_privkey.rb
@@ -118,13 +118,14 @@ def exploit
     factory = ssh_socket_factory
 
     ssh_options = {
-      auth_methods: ['publickey'],
-      config: false,
-      use_agent: false,
-      key_data: [ key_data ],
-      port: rport,
-      proxy: factory,
-      non_interactive:  true
+      :auth_methods     => ['publickey'],
+      :config           => false,
+      :use_agent        => false,
+      :key_data         => [ key_data ],
+      :port             => rport,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
     ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']
 
diff --git a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb
index fee94159e78d..f93995af4dac 100644
--- a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb
+++ b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb
@@ -77,13 +77,14 @@ def do_login(user)
     factory = Rex::Socket::SSHFactory.new(framework, self, datastore['Proxies'])
 
     opt_hash = {
-      auth_methods:    ['publickey'],
-      port:            rport,
-      key_data:        [ key_data ],
-      use_agent:       false,
-      config:          false,
-      proxy:           factory,
-      non_interactive: true
+      :auth_methods     => ['publickey'],
+      :port             => rport,
+      :key_data         => [ key_data ],
+      :use_agent        => false,
+      :config           => false,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
     opt_hash[:verbose] = :debug if datastore['SSH_DEBUG']
 
diff --git a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb
index 65e2b9b5d7fa..396f88a742db 100644
--- a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb
+++ b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb
@@ -71,13 +71,14 @@ def rport
   def do_login(user)
     factory = ssh_socket_factory
     opt_hash = {
-      :auth_methods => ['publickey'],
-      :port         => rport,
-      :key_data     => [ key_data ],
-      :use_agent => false,
-      :config => false,
-      :proxy => factory,
-      :non_interactive => true
+      :auth_methods    => ['publickey'],
+      :port            => rport,
+      :key_data        => [ key_data ],
+      :use_agent       => false,
+      :config          => false,
+      :proxy           => factory,
+      :non_interactive => true,
+      :verify_host_key => :never
     }
     opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
     begin
diff --git a/modules/exploits/linux/ssh/mercurial_ssh_exec.rb b/modules/exploits/linux/ssh/mercurial_ssh_exec.rb
index ead4047928fe..552ee1cc8e9f 100644
--- a/modules/exploits/linux/ssh/mercurial_ssh_exec.rb
+++ b/modules/exploits/linux/ssh/mercurial_ssh_exec.rb
@@ -74,13 +74,14 @@ def ssh_priv_key
   def exploit
     factory = ssh_socket_factory
     ssh_options = {
-      auth_methods: ['publickey'],
-      config: false,
-      use_agent: false,
-      key_data: [ ssh_priv_key ],
-      port: rport,
-      proxy: factory,
-      non_interactive:  true
+      :auth_methods     => ['publickey'],
+      :config           => false,
+      :use_agent        => false,
+      :key_data         => [ ssh_priv_key ],
+      :port             => rport,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
 
     ssh_options.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
diff --git a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb
index ac8692b7bfcc..c934a8c06f6a 100644
--- a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb
+++ b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb
@@ -70,13 +70,14 @@ def rport
   def do_login(user)
     factory = ssh_socket_factory
     opt_hash = {
-      :auth_methods => ['publickey'],
-      :port         => rport,
-      :key_data     => [ key_data ],
-      :use_agent => false,
-      :config => false,
-      :proxy => factory,
-      :non_interactive => true
+      :auth_methods     => ['publickey'],
+      :port             => rport,
+      :key_data         => [ key_data ],
+      :use_agent        => false,
+      :config           => false,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
     opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
     begin
diff --git a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb
index 3d369744c834..977c3bbd6ef4 100644
--- a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb
+++ b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb
@@ -82,13 +82,14 @@ def rport
   def do_login(user, pass)
     factory = ssh_socket_factory
     opts = {
-      :auth_methods => ['password', 'keyboard-interactive'],
-      :port         => rport,
-      :use_agent => false,
-      :config => true,
-      :password => pass,
-      :proxy => factory,
-      :non_interactive => true
+      :auth_methods     => ['password', 'keyboard-interactive'],
+      :port             => rport,
+      :use_agent        => false,
+      :config           => true,
+      :password         => pass,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
 
     opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
diff --git a/modules/exploits/linux/ssh/solarwinds_lem_exec.rb b/modules/exploits/linux/ssh/solarwinds_lem_exec.rb
index 1a6a65a62342..346dc5176f11 100644
--- a/modules/exploits/linux/ssh/solarwinds_lem_exec.rb
+++ b/modules/exploits/linux/ssh/solarwinds_lem_exec.rb
@@ -75,13 +75,14 @@ def password
   def exploit
     factory = ssh_socket_factory
     opts = {
-      :auth_methods => ['keyboard-interactive'],
-      :port         => rport,
-      :use_agent => false,
-      :config => false,
-      :password => password,
-      :proxy => factory,
-      :non_interactive => true
+      :auth_methods     => ['keyboard-interactive'],
+      :port             => rport,
+      :use_agent        => false,
+      :config           => false,
+      :password         => password,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
 
     opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb
index 5e878c493583..b347714e1db0 100644
--- a/modules/exploits/linux/ssh/symantec_smg_ssh.rb
+++ b/modules/exploits/linux/ssh/symantec_smg_ssh.rb
@@ -86,13 +86,14 @@ def rport
   def do_login(user, pass)
     factory = ssh_socket_factory
     opts = {
-      :auth_methods => ['password', 'keyboard-interactive'],
-      :port         => rport,
-      :use_agent => false,
-      :config => false,
-      :password => pass,
-      :proxy => factory,
-      :non_interactive => true
+      :auth_methods     => ['password', 'keyboard-interactive'],
+      :port             => rport,
+      :use_agent        => false,
+      :config           => false,
+      :password         => pass,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
 
     opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
diff --git a/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb b/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb
index 128cfab33fc9..7d8136bf8a81 100644
--- a/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb
+++ b/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb
@@ -124,13 +124,14 @@ def ssh_login
     factory = ssh_socket_factory
 
     ssh_opts = {
-      port:            datastore['SSH_PORT'],
-      auth_methods:    %w{publickey password},
-      key_data:        [private_key],
-      non_interactive: true,
-      config:          false,
-      use_agent:       false,
-      proxy:           factory
+      :port             => datastore['SSH_PORT'],
+      :auth_methods     => %w{publickey password},
+      :key_data         => [private_key],
+      :non_interactive  => true,
+      :config           => false,
+      :use_agent        => false,
+      :proxy            => factory,
+      :verify_host_key  => :never
     }
 
     ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb
index 6a688756a5c4..99c54f34dfd1 100644
--- a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb
+++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb
@@ -70,13 +70,14 @@ def rport
   def do_login()
     factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
     opt_hash = {
-      auth_methods:    ['publickey'],
-      port:            rport,
-      key_data:        [ key_data ],
-      use_agent:       false,
-      config:          false,
-      proxy:           factory,
-      non_interactive: true
+      :auth_methods     => ['publickey'],
+      :port             => rport,
+      :key_data         => [ key_data ],
+      :use_agent        => false,
+      :config           => false,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
     opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
     begin
diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb
index ab9bb533caa0..2da695080b04 100644
--- a/modules/exploits/multi/ssh/sshexec.rb
+++ b/modules/exploits/multi/ssh/sshexec.rb
@@ -147,13 +147,14 @@ def execute_command(cmd, opts = {})
   def do_login(ip, user, pass, port)
     factory = ssh_socket_factory
     opt_hash = {
-      auth_methods:    ['password', 'keyboard-interactive'],
-      port:            port,
-      use_agent:       false,
-      config:          false,
-      password:        pass,
-      proxy:           factory,
-      non_interactive: true
+      :auth_methods     => ['password', 'keyboard-interactive'],
+      :port             => port,
+      :use_agent        => false,
+      :config           => false,
+      :password         => pass,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
 
     opt_hash[:verbose] = :debug if (datastore['SSH_DEBUG'])
diff --git a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb
index e16a7cc60ce0..d546acc4cfc1 100644
--- a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb
+++ b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb
@@ -101,13 +101,14 @@ def login_key(user)
 
     factory = ssh_socket_factory
     opts = {
-      :auth_methods => ['publickey'],
-      :port         => rport,
-      :use_agent => false,
-      :config => true,
-      :key_data     => key_data,
-      :proxy => factory,
-      :non_interactive => true
+      :auth_methods     => ['publickey'],
+      :port             => rport,
+      :use_agent        => false,
+      :config           => true,
+      :key_data         => key_data,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
 
     opts
@@ -117,13 +118,14 @@ def login_user_pass(user, pass)
     print_status("#{rhost}:#{rport} - Attempting to login with '#{user}:#{pass}'")
     factory = ssh_socket_factory
     opts = {
-      :auth_methods => ['password', 'keyboard-interactive'],
-      :port         => rport,
-      :use_agent => false,
-      :config => true,
-      :password => pass,
-      :proxy => factory,
-      :non_interactive => true
+      :auth_methods     => ['password', 'keyboard-interactive'],
+      :port             => rport,
+      :use_agent        => false,
+      :config           => true,
+      :password         => pass,
+      :proxy            => factory,
+      :non_interactive  => true,
+      :verify_host_key  => :never
     }
 
     opts
diff --git a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb
index f42f9110040c..2d8884fa3a10 100644
--- a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb
+++ b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb
@@ -186,7 +186,11 @@ def userauth_passwd_change(user, transport, connection)
   end
 
   def init_ssh(user)
-    opts       = {:user=>user, :port=>rport}
+    opts       = {
+      :user             => user,
+      :port             => rport,
+      :verify_host_key  => :never
+    }
     options    = Net::SSH::Config.for(rhost, Net::SSH::Config.default_files).merge(opts)
     transport  = Net::SSH::Transport::Session.new(rhost, options)
     connection = Net::SSH::Connection::Session.new(transport, options)
diff --git a/modules/exploits/windows/ssh/freesshd_authbypass.rb b/modules/exploits/windows/ssh/freesshd_authbypass.rb
index 6076934d1142..ef1017bd2949 100644
--- a/modules/exploits/windows/ssh/freesshd_authbypass.rb
+++ b/modules/exploits/windows/ssh/freesshd_authbypass.rb
@@ -80,12 +80,13 @@ def execute_command(cmd, _opts = {})
 
   def setup_ssh_options
     {
-      password: rand_text_alpha(8),
-      port: datastore['RPORT'],
-      timeout: 1,
-      proxies: datastore['Proxies'],
-      key_data: OpenSSL::PKey::RSA.new(2048).to_pem,
-      auth_methods: ['publickey']
+      :password         => rand_text_alpha(8),
+      :port             => datastore['RPORT'],
+      :timeout          => 1,
+      :proxies          => datastore['Proxies'],
+      :key_data         => OpenSSL::PKey::RSA.new(2048).to_pem,
+      :auth_methods     => ['publickey'],
+      :verify_host_key  => :never
     }
   end
 
diff --git a/modules/exploits/windows/ssh/sysax_ssh_username.rb b/modules/exploits/windows/ssh/sysax_ssh_username.rb
index 5b4b248e20b0..ce5016b3c3f5 100644
--- a/modules/exploits/windows/ssh/sysax_ssh_username.rb
+++ b/modules/exploits/windows/ssh/sysax_ssh_username.rb
@@ -202,7 +202,8 @@ def exploit
         timeout: 1,
         proxy: factory,
         config: false,
-        non_interactive: true
+        non_interactive: true,
+        verify_host_key: :never
       )
 
       ::Timeout.timeout(1) { ssh.close }

From 45e0b53fc8997d9137177f12f7a51f1e043922cd Mon Sep 17 00:00:00 2001
From: Kevin Kirsche <kevin.kirsche@one.verizon.com>
Date: Wed, 15 Aug 2018 14:59:52 -0700
Subject: [PATCH 7/7] Fix spacing issue with rocket

---
 modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
index 3f5dd7462177..2ed04c230f8b 100644
--- a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
@@ -208,7 +208,7 @@ def do_login(ip, port, user)
         :port            => port,
         :key_data        => key_data[:public],
         :use_agent       => false,
-        :config          =>false,
+        :config          => false,
         :proxy           => factory,
         :non_interactive => true,
         :verify_host_key => :never